[Config] Can I configure an ASA5505 to load balance with dual IS in Cisco

[Config] Can I configure an ASA5505 to load balance with dual IS in Cisco http://www.dslreports.com/forum/r20763783 en Wed, 03 Dec 2008 02:49:45 EDT Wed, 03 Dec 2008 02:49:45 EDT Re: Changing the question.... http://www.dslreports.com/forum/remark,20986084 anon :

said by aryoba

:

Did you know that IPSec VPN in general is not a good approach for VoIP, especially over DSL line?

No. Am I actually sending VoIP traffic over my VPN if they are on different public IPs? Since there is the DSL line has a minimum level of service, my desire would be to route VoIP traffic over the DSL line rather than the cable line, or shouldn't I bother to be concerned about this and look to configuring only VPN traffic over DSL and everything else through the cable connection?

I'm really struggling to understand how to improve overall speed, retain VoIP quality and stay within our financial capabilities. Am I aiming at an impossible target?

Don't get me wrong, I appreciate the help, but as stated before, I really don't know all that much about networking (I'm a programmer by background) and I am trying to understand.]]> http://www.dslreports.com/forum/remark,20986084 Thu, 21 Aug 2008 16:17:13 EDT Re: Changing the question.... http://www.dslreports.com/forum/remark,20985894 cramer :

said by aryoba

:

your connection is pretty much at the mercy of your telco, ISP, and transit ISP.

No matter how you slice it, he's going to be dependant on them. The problem is not the VPN, it's the INTERNET. I have lan-to-lan VPNs cross the US and across the atlantic; they work just fine.]]> http://www.dslreports.com/forum/remark,20985894 Thu, 21 Aug 2008 15:34:37 EDT Re: Changing the question.... http://www.dslreports.com/forum/remark,20985854 aryoba : Did you know that IPSec VPN in general is not a good approach for VoIP, especially over DSL line? Not to mention that this will be a IPSec VPN tunnel between Costa Rica and US.

By deploying IPSec VPN in such environment, your connection is pretty much at the mercy of your telco, ISP, and transit ISP. Yes, it is cheap solution; however in general it won't be reliable solution.

If you prefer to have better reliability, then you might want to consider MPLS. :)]]> http://www.dslreports.com/forum/remark,20985854 Thu, 21 Aug 2008 15:26:57 EDT Changing the question.... http://www.dslreports.com/forum/remark,20985756 anon : Thanks for the replies. I've come to realize that this isn't possible with just the 5505 and that I need a router in front of it. Any recommendations on a router and how to configure it?

Again, we have a 512K DSL line that I would like to retain for the vpn that we maintain to our home office (we are on their domain and host a domain controller in our office, connect to Exchange in their office, etc.). I occasionally access our network from home using a vpn as well. Inside we are running three servers on a 192.168.x.x network: the aforementioned domain controller, a phone server (trixbox with a IAX connection to the states using Junction Networks), and a development server. We have several public IPs, two of which are routed to the phone and dev servers.

I would really like to make this work as it would benefit everyone in the office, so I am appreciative of any help you can provide.]]> http://www.dslreports.com/forum/remark,20985756 Thu, 21 Aug 2008 15:09:11 EDT Re: [Config] Can I configure an ASA5505 to load balance with dua http://www.dslreports.com/forum/remark,20931748 cramer : I do something very similar to what you are asking to do. However, I do it with a Pix 520 (old 3u beast.) I'm not sure you can do this with just a 5505. To quote Cisco, it's a firewall not a router (or load balancer.) The "SEC" model might allow enough vlans to rig it up. The base license only allows an inside, outside, and restricted DMZ (blocked from one of the other two nets.) It certainly doesn't have any load balancing logic; traffic will go where the route table says.

My network consists of 2 internal networks, a DMZ, and 3 ISPs links. The internal networks are 2 vlans on the "inside" interface -- "lan" at lvl 100, and "lab" at lvl 99. The DMZ is it's own NIC. The "outside" links are 3 vlans on one nic... 2 = DSL (end of the universe backup), 3 = T1, and 4 = DS3... all at lvl 0. Site-to-Site VPNs are nailed to the T1. VPN clients can connect to any interface, but because of the lack of hairpin capability, VPN users connect to a seperate pix 501 (on the DS3.)

[Note: my pix520 setup runs into a lot of limitations that don't exist for the ASAs.]]]> http://www.dslreports.com/forum/remark,20931748 Mon, 11 Aug 2008 01:32:56 EDT Re: [Config] Can I configure an ASA5505 to load sharing with dua http://www.dslreports.com/forum/remark,20793553 aryoba : Without seeing your IP address scheming, it's hard to tell what routing design is needed. Therefore I could probably provide only general comments :)

When the VoIP, HTTP, and FTP machines (either user/subscriber or the server) are physically separated; then you should be able to set routing decision which source IP address to reach specific destination IP address through specific connection. If there are some machines that need to connect both HTTP and FTP server let's say, then you also have to set routing decision based on the TCP or UDP port numbers.

Whichever direction you take, make sure that both end configuration (your end at Costa Rica and the other end at the US) must match. Otherwise, there will be some unexpected behavior such as asymmetric routing and service performance degradation.]]> http://www.dslreports.com/forum/remark,20793553 Tue, 15 Jul 2008 09:16:08 EDT Re: [Config] Can I configure an ASA5505 to load sharing with dua http://www.dslreports.com/forum/remark,20790508 anon : Hi. Thanks for taking the time to try to help me out. We are in Costa Rica and acting as a branch office from our "headquarters" in the US and we use the vpn for secure communications between the offices (email, file upload/down to production server, domain authentication (via local server)). We use asterisk internally for our phone system which maintains a SIP connection with Junction Networks for our long distance communications in the states. The rest of the traffic is just "regular user" traffic (http, ftp, IM, skype, etc.)

What I would like to do is add the second connection and router all of the "regular" traffic through that connection and leave the vpn connection and SIP traffic on our DSL connection.

Thanks again for any help you can provide.
- Henry

I am a bit reluctant to post any specifics about IPs and VPN data as we are just users and not in control and I wouldn't want to be responsible for disclosing too much information. Internally we are NAT'd and running in the 192.168.x.x address schema.]]> http://www.dslreports.com/forum/remark,20790508 Mon, 14 Jul 2008 17:10:54 EDT Re: [Config] Can I configure an ASA5505 to load sharing with dua http://www.dslreports.com/forum/remark,20781830 aryoba : Can you post more details? I'm looking for source and destination IP addresses and/or subnets of these VPN, VoIP, HTTP, FTP, and all other traffic.]]> http://www.dslreports.com/forum/remark,20781830 Sat, 12 Jul 2008 19:11:28 EDT Re: [Config] Can I configure an ASA5505 to load sharing with dua http://www.dslreports.com/forum/remark,20781700 anon : Can anyone tell me whether this is even possible?

Anyone?]]> http://www.dslreports.com/forum/remark,20781700 Sat, 12 Jul 2008 18:43:15 EDT [Config] Can I configure an ASA5505 to load balance with dual IS http://www.dslreports.com/forum/remark,20763783 anon : We have an ASA5505 configured to use our DSL connection, which is only 512KB (cost is the issue; we are a non-profit with a small budget). We would like to add a second internet connection (3MB cable connection, cheap) and would like to do so with our existing hardware. Ideally, we would like to limit voip and vpn traffic to our existing connection and route all http/ftp/etc. traffic through the cable connection. Right now, any time someone in our little office decides to download something, it kills the rest of us, especially voip traffic. I've tried adding QoS priority for voip traffic and ended up putting an FTP download choke in place to try to preserve voip clarity and some bandwidth for others.

I'm almost a total noob to this device (and cisco device management in general) and would like to know if this is possible, and if so, how to go about it. Any help would be greatly appreciated.

- Henry]]> http://www.dslreports.com/forum/remark,20763783 Wed, 09 Jul 2008 11:31:45 EDT